Hash: SHA1

On 12/21/2011 09:14 AM, Stephen Gallagher wrote:
> On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote:
>> On 12/21/2011 04:37 AM, Stephen Gallagher wrote:
>>> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
>>>> I have been working through configuring sudo via IPA and ran into the
>>>> following situation.
>>>> There is a directive in the documentation to configure
>>>> /etc/sssd/sssd.conf on the clients with something like the following:
>>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
>>>> This is pulled from the docse here for reference:
>>>> This is fine and causes no problems, however, when I mistakenly left it
>>>> out on a few systems, sudo continued to function, so I am wondering what
>>>> it is that this directive does? Does this get sssd into the loop to
>>>> cache sudo rules for offline use?
>>>> Any ideas?
>>> Sorry for the confusion in the other responses to this thread. The short
>>> answer is this: SUDO can use LDAP rules (as you clearly know). It does
>>> this with its own internal LDAP lookup (it doesn't currently go through
>>> SSSD to accomplish this).
>>> However, SUDO rules can specify netgroups as part of their restrictions
>>> on who can do what (usually these are used to limit functions to certain
>>> hosts). In order to do this, SSSD needs to be configured to look up
>>> netgroups properly so that SUDO can use the 'getnetgrent()' glibc
>>> command to locate the netgroups.
>>> The doc you are looking at is actually a bit out of date. It's no longer
>>> necessary to provide that option, because if it's unspecified, we set it
>>> automatically to cn=ng,cn=compat,dc=example,dc=com (using the
>>> appropriate base, of course).
>>> Jan's comments about upstream work were that we recently made changes to
>>> avoid needing to use the compat tree for netgroup lookups and can
>>> instead use FreeIPA's native, custom schema for netgroups. That's not
>>> terribly relevant to you, but it's a useful piece of information.
>>> So, in short, you don't need to set it, the doc is outdated.
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Ok thanks, that makes sense. One final question here, is there a way
>> to verify that sssd is in fact setting this properly? Not that I doubt
>> you of course, it is just a matter of so many versions of sssd in so
>> many places that it would be good to verify that it works
>> automagically on RHEL 5, 6, and whatever else, say Ubuntu etc.
>> -Erinn
> You can set 'debug_level = 6' in [domain/<DOMAINNAME>] of sssd.conf and
> restart. If you look in the sssd_<DOMAINNAME>.log, you should see a line
> setting the ldap_netgroup_search_base option.
Great, thank you so much for your time. I really appreciate it.

- -Erinn

Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Freeipa-users mailing list

Reply via email to